auriga-cli 1.18.4 → 1.19.1

package/README.md

@@ -58,7 +58,7 @@ For a browser-based view of what's installed and one-click apply, run:
 npx auriga-cli web-ui
 ```
 
-This boots a local server on `127.0.0.1`, opens your default browser, and serves a dashboard that scans the current project, shows each module's status (installed / update-available / not-installed), and applies install / update / uninstall in a queue with live SSE progress. The server shuts down on its own ~15 s after the browser closes.
+This boots a local server on `127.0.0.1`, opens your default browser, and serves a dashboard that scans the current project, shows each module's status (installed / not-installed / partial-install), and applies install / uninstall in a queue with live SSE progress. Re-running install is the update path — every installer is idempotent and overwrites in place. The server shuts down on its own ~15 s after the browser closes.
 
 The UI is opt-in — `npx auriga-cli` still launches the TTY menu below.
 

package/README.zh-CN.md

@@ -52,13 +52,13 @@ npx -y auriga-cli --help                     # 完整 catalog + flag 说明
 
 ### Web UI（可选）
 
-如果想在浏览器里看到“已装 / 可更新 / 未装”全景并一键 apply，跑：
+如果想在浏览器里看到“已装 / 未装 / 半装”全景并一键 apply，跑：
 
 ```bash
 npx auriga-cli web-ui
 ```
 
-它会在 `127.0.0.1` 起一个本地 server、自动开浏览器，扫描当前项目并展示 5 个分类的状态。勾选要安装/更新/卸载的项目后点 Apply，SSE 实时回传执行进度。关浏览器后约 15 秒 server 自动退出。
+它会在 `127.0.0.1` 起一个本地 server、自动开浏览器，扫描当前项目并展示 5 个分类的状态。勾选要安装/卸载的项目后点 Apply，SSE 实时回传执行进度。需要"升级"时就重新 install——每个安装器都是幂等覆盖。关浏览器后约 15 秒 server 自动退出。
 
 Web UI 是显式入口；`npx auriga-cli` 仍然走下面的 TTY 菜单。
 

package/dist/api-types.d.ts

@@ -1,4 +1,9 @@
-export type ItemStatus = "installed" | "update-available" | "not-installed";
+export type ItemStatus = "installed" | "not-installed"
+/** Dual-Agent plugin where some target Agents have the plugin installed
+ *  and some don't (e.g. Claude side installed, Codex side missing). The
+ *  user-facing action is "install on the missing side"; the missing
+ *  agents are enumerated in `PluginState.missingAgents`. */
+ | "partial-install";
 /**
  * Per-category scan scope. Each category (workflow / skills / plugins / hooks)
  * can be independently scanned in either user scope (~/.claude/, ~/.codex/)
@@ -23,8 +28,6 @@ export interface StateReport {
 }
 export interface WorkflowState {
     status: ItemStatus;
-    currentVersion?: string;
-    expectedVersion: string;
     /** Which scope the scanner read to produce this row. Reflects the scope
      *  scanned, not where the file was found — e.g. when scope=user and
      *  ~/.claude/CLAUDE.md is absent, observedScope is still "user". The
@@ -38,8 +41,6 @@ export interface SkillState {
     description: string;
     status: ItemStatus;
     isWorkflow: boolean;
-    currentHash?: string;
-    expectedHash: string;
     /** Scope the scanner read to produce this row. See WorkflowState comment. */
     observedScope?: ScanScope;
 }
@@ -53,38 +54,40 @@ export interface PluginState {
      *  `agents.length === 2` the UI shows a BOTH badge and Apply installs to
      *  each agent in turn. Status is aggregated across all targeted agents:
      *  `installed` ⇔ all agents installed; `not-installed` ⇔ all not-installed;
-     *  any partial state (one side installed, other not) → `update-available`
-     *  so a single Apply backfills the missing side. */
+     *  mixed → `partial-install` (some installed, some not). */
     agents: ApplyAgent[];
-    currentVersion?: string;
-    expectedVersion?: string;
-    versionSource: "upstream-live" | "catalog";
+    /** Agents that target this plugin but don't have it installed. Populated
+     *  iff `status === "partial-install"`. Drives the "Missing on Codex"
+     *  UI caption + tells the user exactly which side needs backfill. */
+    missingAgents?: ApplyAgent[];
     /** Scope the scanner read to produce this row. Codex plugins are always
      *  "user" (Codex has no project-scope plugin concept). See WorkflowState
      *  comment on why this is typed optional. */
     observedScope?: ScanScope;
     /** True for plugins whose source lives in an upstream marketplace, not in
-     *  this repo (skill-creator / claude-md-management / codex). The scanner
-     *  short-circuits update-available reporting for these — upgrades go
-     *  through `claude plugins update`, not us. The UI renders an EXTERNAL
-     *  badge to make the "not our jurisdiction" signal explicit. */
+     *  this repo (skill-creator / claude-md-management / codex). Pure UI hint
+     *  since v1.19.0 — the EXTERNAL badge tells users upgrades go through
+     *  `claude plugins update`, not via auriga-cli. */
     external?: boolean;
 }
 export interface HookState {
     name: string;
     description: string;
     status: ItemStatus;
-    currentHash?: string;
-    expectedHash: string;
     /** Scope the scanner read to produce this row. See WorkflowState comment. */
     observedScope?: ScanScope;
 }
 export interface StateWarning {
-    code: "claude-cli-missing" | "codex-cli-missing" | "marketplace-offline" | "claude-code-not-installed" | "settings-unreadable" | "skill-malformed" | "workflow-unknown-version";
+    code: "claude-cli-missing" | "codex-cli-missing" | "marketplace-offline" | "claude-code-not-installed" | "settings-unreadable" | "skill-malformed"
+    /** Project-scope CLAUDE.md (or the user-scope fallback when scanning
+     *  user scope) is present but has no recognizable `# auriga Workflow (vX.Y.Z)`
+     *  header. The row reports `not-installed`; install will back up the
+     *  existing file to `CLAUDE.md.bak` and write ours. */
+     | "workflow-foreign-claudemd";
     message: string;
 }
 export type ApplyCategory = "workflow" | "skill" | "recommended-skill" | "plugin" | "hook";
-export type ApplyAction = "install" | "update" | "uninstall";
+export type ApplyAction = "install" | "uninstall";
 /**
  * Installer scope. Carried per-item so the Web UI can mix scopes within a
  * single apply batch.

package/dist/apply-handlers.js

@@ -17,6 +17,10 @@
 //   hook:               installHook(hookDef, "project",…)│  needs HookDef
 //   hook:               uninstallHook(name, …)           │
 //
+// v1.19.0 dropped the "update" action — every installer is idempotent and
+// overwriting, so re-running install IS the update path. Apply receives
+// "install" or "uninstall" only.
+//
 // Spec: docs/architecture/web-ui.md §6.4 (apply execution model).
 import { installHook, loadHooksConfig, uninstallHook } from "./hooks.js";
 import { installPlugins, uninstallPlugin, } from "./plugins.js";
@@ -24,7 +28,6 @@ import { installRecommendedSkills, installSkills, uninstallSkill, } from "./skil
 import { installWorkflow, uninstallWorkflow } from "./workflow.js";
 const ALL_ACTIONS = new Set([
     "install",
-    "update",
     "uninstall",
 ]);
 function assertAction(action) {
@@ -43,7 +46,7 @@ export function buildDefaultApplyHandlers(ctx) {
         // the Workflow column's EN/ZH-CN picker). Falls back to ctx lang for
         // CLI-mode callers that don't pass it.
         const installLang = requestedLang ?? lang;
-        if (action === "install" || action === "update") {
+        if (action === "install") {
             await installWorkflow(packageRoot, {
                 interactive: false,
                 cwd,
@@ -68,7 +71,7 @@ export function buildDefaultApplyHandlers(ctx) {
     const skill = async (action, name, { onLog, scope }) => {
         assertAction(action);
         const installScope = scope ?? "project";
-        if (action === "install" || action === "update") {
+        if (action === "install") {
             await installSkills(packageRoot, {
                 interactive: false,
                 cwd,
@@ -88,7 +91,7 @@ export function buildDefaultApplyHandlers(ctx) {
     const recommendedSkill = async (action, name, { onLog, scope }) => {
         assertAction(action);
         const installScope = scope ?? "project";
-        if (action === "install" || action === "update") {
+        if (action === "install") {
             await installRecommendedSkills(packageRoot, {
                 interactive: false,
                 cwd,
@@ -119,7 +122,7 @@ export function buildDefaultApplyHandlers(ctx) {
         const failures = [];
         for (const agent of agents) {
             try {
-                if (action === "install" || action === "update") {
+                if (action === "install") {
                     await installPlugins(packageRoot, {
                         interactive: false,
                         cwd,
@@ -162,10 +165,9 @@ export function buildDefaultApplyHandlers(ctx) {
             });
             return;
         }
-        // install + update both run installHook with the requested scope. The
-        // hook installer is idempotent — re-running == "update". Look up the
-        // HookDef in the bundled registry; unknown name → loud throw so the
-        // SSE caller surfaces it as item:done success=false.
+        // Look up the HookDef in the bundled registry; unknown name → loud throw
+        // so the SSE caller surfaces it as item:done success=false. The hook
+        // installer is idempotent; re-running install is the update path.
         const config = loadHooksConfig(packageRoot);
         const hookDef = config.hooks.find((h) => h.name === name);
         if (!hookDef) {

package/dist/catalog.d.ts

@@ -1,14 +1,6 @@
 export interface CatalogEntry {
     name: string;
     description: string;
-    /** Build-time-baked plugin version. Set ONLY for plugin entries whose
-     *  source lives in this repo's `plugins/<name>/` directory — the scanner
-     *  uses it to surface "update-available" when the user's installed copy
-     *  is older. Absent for skill / hook entries and for external-marketplace
-     *  plugins (whose manifest lives upstream). Must be baked at build time
-     *  because `plugins/<name>/.claude-plugin/plugin.json` is NOT shipped in
-     *  the npm tarball (see `package.json` `files` field). */
-    expectedVersion?: string;
     /** Build-time-baked agent map for plugin entries. Derived from
      *  `.claude/plugins.json` ∪ `.agents/plugins/install.json` — those config
      *  files are NOT shipped in the npm tarball, so the scanner can't read
@@ -17,21 +9,13 @@ export interface CatalogEntry {
      *  Absent on skill / hook entries. */
     agents?: ("claude" | "codex")[];
     /** True for plugins whose source lives in an UPSTREAM marketplace
-     *  (skill-creator / claude-md-management / codex), not in this repo. The
-     *  scanner uses this to disable update-available reporting — those
-     *  plugins update through `claude plugins update`, not through us. UI
-     *  surfaces an EXTERNAL badge so users know where to look. */
+     *  (skill-creator / claude-md-management / codex), not in this repo.
+     *  Pure UI hint since v1.19.0 — the EXTERNAL badge tells users that
+     *  upgrades go through `claude plugins update`, not us. */
     external?: boolean;
 }
 export interface Catalog {
     generatedAt: string;
-    /** Workflow content version baked from `CLAUDE.md`'s `# auriga Workflow (vX.Y.Z)`
-     *  header at build time. MUST live here rather than be read at runtime
-     *  because `CLAUDE.md` is NOT in the npm tarball — `package.json` `files`
-     *  allowlists only `dist/`. Empty string when the header is unparseable;
-     *  the scanner then degrades to "trust whatever the user has" rather than
-     *  forcing phantom update-available against an empty expected value. */
-    workflowVersion: string;
     workflowSkills: CatalogEntry[];
     recommendedSkills: CatalogEntry[];
     plugins: CatalogEntry[];

package/dist/catalog.json

@@ -1,6 +1,5 @@
 {
-  "generatedAt": "2026-05-12T15:14:34.188Z",
-  "workflowVersion": "1.7.0",
+  "generatedAt": "2026-05-13T02:06:00.781Z",
   "workflowSkills": [
     {
       "name": "brainstorming",
@@ -104,8 +103,7 @@
       "agents": [
         "claude",
         "codex"
-      ],
-      "expectedVersion": "1.1.0"
+      ]
     },
     {
       "name": "auriga-git-guards",
@@ -113,8 +111,7 @@
       "agents": [
         "claude",
         "codex"
-      ],
-      "expectedVersion": "1.1.0"
+      ]
     },
     {
       "name": "deep-review",
@@ -122,16 +119,14 @@
       "agents": [
         "claude",
         "codex"
-      ],
-      "expectedVersion": "0.3.1"
+      ]
     },
     {
       "name": "session-instructions-loader",
       "description": "(Codex) Injects extra instruction files on session start",
       "agents": [
         "codex"
-      ],
-      "expectedVersion": "1.0.0"
+      ]
     }
   ],
   "hooks": [

package/dist/cli.js

@@ -576,7 +576,29 @@ async function runUi(p, version) {
     const { buildScanCatalog } = await import("./scan-catalog.js");
     const { ensureUiBundle } = await import("./ui-fetch.js");
     const cwd = process.cwd();
-    const packageRoot = getPackageRoot();
+    // Two roots, two responsibilities (mirrors the TTY install path's pattern):
+    //   - tarballRoot: where `dist/catalog.json` + the bundled DEV ui/dist live.
+    //     Always read from the installed npm package; can't be fetched because
+    //     dist/ is built artifact, not git content.
+    //   - contentRoot: where the runtime install recipes live (CLAUDE.md,
+    //     .claude/plugins.json, .claude/hooks/hooks.json, .agents/plugins/
+    //     install.json + marketplace.json, skills-lock.json). These files are
+    //     NOT in the npm tarball — the `files` allowlist only ships `dist/*`
+    //     + npm defaults. They are fetched from GitHub, pinned to the CLI
+    //     version tag, by fetchContentRoot(). Under DEV=1 fetchContentRoot
+    //     short-circuits to the repo root so this is a no-op there.
+    // Without the contentRoot fix, tarball-installed Web UI users hit ENOENT
+    // on any Codex plugin install (apply handlers read .agents/plugins/
+    // install.json from packageRoot).
+    const tarballRoot = getPackageRoot();
+    let contentRoot;
+    try {
+        contentRoot = await fetchContentRoot();
+    }
+    catch (e) {
+        log.error(`Failed to fetch content: ${e.message}`);
+        return 1;
+    }
     // 1. Resolve UI bundle directory.
     let uiDir;
     if (p.uiDir) {
@@ -588,7 +610,7 @@ async function runUi(p, version) {
     }
     else if (process.env.DEV === "1") {
         // Dev convenience: prefer the locally-built ui/dist over a network fetch.
-        const localDist = path.join(packageRoot, "ui", "dist");
+        const localDist = path.join(tarballRoot, "ui", "dist");
         if (fs.existsSync(path.join(localDist, "index.html"))) {
             uiDir = localDist;
         }
@@ -613,7 +635,9 @@ async function runUi(p, version) {
     // 2. Build scan catalog → ApplyCatalog + pluginAgentsByName.
     let scanCatalog;
     try {
-        scanCatalog = await buildScanCatalog(packageRoot);
+        // dist/catalog.json ships in the tarball — read from tarballRoot, not
+        // the fetched content root (which doesn't carry build artifacts).
+        scanCatalog = await buildScanCatalog(tarballRoot);
     }
     catch (e) {
         log.error(`Failed to build catalog: ${e.message}`);
@@ -635,7 +659,10 @@ async function runUi(p, version) {
         pluginAgentsByName.set(name, def.agents);
     }
     const applyHandlers = buildDefaultApplyHandlers({
-        packageRoot,
+        // contentRoot: install handlers read CLAUDE.md, plugins.json,
+        // hooks.json, install.json, marketplace.json — all CONTENT_FILES.
+        // Routing them at tarballRoot fails ENOENT for npm-installed users.
+        packageRoot: contentRoot,
         cwd,
         pluginAgentsByName,
     });
@@ -656,7 +683,11 @@ async function runUi(p, version) {
                 port,
                 token,
                 cwd,
-                packageRoot,
+                // server reads dist/catalog.json (tarball-shipped) via
+                // buildScanCatalog on each /api/state call; install-time content
+                // (install.json, plugins.json, CLAUDE.md, …) was already injected
+                // into applyHandlers above with contentRoot.
+                packageRoot: tarballRoot,
                 heartbeatTimeoutMs: UI_HEARTBEAT_TIMEOUT_MS,
                 applyHandlers,
                 applyCatalog,

package/dist/scan-catalog.js

@@ -1,53 +1,20 @@
 // Build the scan-time Catalog (the shape src/state.ts consumes) from the
-// build-time `dist/catalog.json`. This module is intentionally a *thin
-// adapter* — it must NOT read any file outside `dist/catalog.json`, because
-// the npm tarball's `files` field allowlists only `dist/`. Reading from
-// `packageRoot/CLAUDE.md`, `packageRoot/.claude/plugins.json`, or
-// `packageRoot/.agents/skills/<name>/SKILL.md` succeeds in dev (where
-// packageRoot === repoRoot) but silently returns empty for npm-installed
-// users, leaving the scanner unable to surface real update signals.
-//
-// Anything the scanner needs beyond what's already in catalog.json must
-// first be baked at build time in `src/build/generate-catalog.ts`.
-//
-// Scope of the current bake (covered fields):
-//   - workflowVersion         — from CLAUDE.md header
-//   - plugin agents map       — from .claude/plugins.json ∪ .agents/plugins/install.json
-//   - plugin expectedVersion  — from plugins/<name>/.claude-plugin/plugin.json
-//   - plugin external flag    — derived (no in-tree manifest = external)
-//
-// Out of scope for v1.18.4 (follow-up PRs):
-//   - hook expectedEvent / expectedMatcher / expectedIf (from .claude/hooks/hooks.json)
-//   - apply-time installer config (the install path reads .claude/plugins.json
-//     directly — that needs runWebUi → fetchContentRoot rewire, not bake).
-import { readFile } from "node:fs/promises";
-import path from "node:path";
+// build-time `dist/catalog.json`. Thin adapter — reads dist/catalog.json
+// only. v1.19.0 dropped all version / hash / event comparison from the
+// scanner, so the build-time catalog is reduced to {description, agents?,
+// external?} per entry; runtime reads outside dist/ are no longer needed.
 import { loadCatalog } from "./catalog.js";
-async function tryReadFile(p) {
-    try {
-        return await readFile(p, "utf8");
-    }
-    catch {
-        return null;
-    }
-}
 export async function buildScanCatalog(packageRoot) {
     const dist = loadCatalog(packageRoot);
-    // Workflow version — baked from CLAUDE.md header at build time. See
-    // module comment for the "no runtime reads outside dist/" rule.
-    const workflowVersion = dist.workflowVersion ?? "";
-    // Skills: drift detection deliberately deferred to `npx skills update
-    // --project`, which already compares against the skill's own upstream
-    // repo HEAD. Our catalog snapshot would only know "what auriga-cli
-    // shipped at this CLI release" — at best a stale proxy that mis-reports
-    // legitimate user-side updates as drift. Setting expectedHash to "" puts
-    // classifySkillByFile into wildcard mode: row reports installed if
-    // SKILL.md exists, not-installed otherwise; never update-available.
+    // v1.19.0 dropped update-available status. The scanner is now presence-
+    // only: skills / hooks / plugins / workflow all report installed iff their
+    // truth source exists, not-installed otherwise. No version / hash / event
+    // comparison happens, so the build-time catalog is reduced to the bare
+    // {description, agents?, external?} shape per entry.
     const skills = {};
     for (const entry of dist.workflowSkills) {
         skills[entry.name] = {
             description: entry.description,
-            expectedHash: "",
             isWorkflow: true,
         };
     }
@@ -55,16 +22,8 @@ export async function buildScanCatalog(packageRoot) {
     for (const entry of dist.recommendedSkills) {
         recommendedSkills[entry.name] = {
             description: entry.description,
-            expectedHash: "",
         };
     }
-    // Plugins: agents + expectedVersion + external all come from
-    // dist/catalog.json now (baked in src/build/generate-catalog.ts). The
-    // previous version of this module read .claude/plugins.json +
-    // .agents/plugins/install.json at runtime — those files are NOT in the
-    // npm tarball, so for installed users every plugin defaulted to a
-    // ["claude"] agent classification (root cause of dual-Agent plugin
-    // mis-classification in v1.18.x).
     const plugins = {};
     for (const entry of dist.plugins) {
         const agents = Array.isArray(entry.agents) && entry.agents.length > 0
@@ -73,47 +32,12 @@ export async function buildScanCatalog(packageRoot) {
         plugins[entry.name] = {
             description: entry.description,
             agents,
-            ...(typeof entry.expectedVersion === "string" && entry.expectedVersion.length > 0
-                ? { expectedVersion: entry.expectedVersion }
-                : {}),
             ...(entry.external === true ? { external: true } : {}),
         };
     }
-    // Hooks: TODO follow-up — bake expectedEvent / expectedMatcher / expectedIf
-    // into dist/catalog.json the same way agents are baked. Currently the
-    // runtime read of packageRoot/.claude/hooks/hooks.json works in dev
-    // (packageRoot === repoRoot) but fails silently for npm-installed users
-    // — `package.json` `files` allowlist doesn't ship `.claude/`. So hook
-    // drift detection is correct in dev and degraded (always "installed" if
-    // marker present) in production. Follow-up bake closes the dev/prod gap.
-    const hooksJsonPath = path.join(packageRoot, ".claude", "hooks", "hooks.json");
-    const hooksJsonRaw = await tryReadFile(hooksJsonPath);
-    const hooksJson = hooksJsonRaw ? JSON.parse(hooksJsonRaw) : {};
-    const settingsEventsByName = new Map();
-    for (const h of hooksJson.hooks ?? []) {
-        if (typeof h.name === "string" && h.settingsEvents?.length) {
-            settingsEventsByName.set(h.name, h.settingsEvents[0]);
-        }
-    }
     const hooks = {};
     for (const entry of dist.hooks) {
-        const ev = settingsEventsByName.get(entry.name);
-        hooks[entry.name] = {
-            description: entry.description,
-            // Empty expectedHash flips state.ts into wildcard mode — drift judged
-            // purely from the structured expected* fields below, not from a
-            // settings-entry content hash.
-            expectedHash: "",
-            ...(typeof ev?.event === "string" ? { expectedEvent: ev.event } : {}),
-            ...(typeof ev?.matcher === "string" ? { expectedMatcher: ev.matcher } : {}),
-            ...(typeof ev?.if === "string" ? { expectedIf: ev.if } : {}),
-        };
+        hooks[entry.name] = { description: entry.description };
     }
-    return {
-        workflowVersion,
-        skills,
-        recommendedSkills,
-        plugins,
-        hooks,
-    };
+    return { skills, recommendedSkills, plugins, hooks };
 }

package/dist/server.js

@@ -171,7 +171,7 @@ const VALID_CATEGORIES = new Set([
     "plugin",
     "hook",
 ]);
-const VALID_ACTIONS = new Set(["install", "update", "uninstall"]);
+const VALID_ACTIONS = new Set(["install", "uninstall"]);
 const VALID_SCOPES = new Set(["project", "user"]);
 const VALID_LANGS = new Set(["en", "zh-CN"]);
 function parseApplyRequest(raw) {

package/dist/state.d.ts

@@ -1,57 +1,37 @@
 import type { PluginState, ScanScope, StateReport } from "./api-types.js";
 export interface Catalog {
-    workflowVersion: string;
     skills: Record<string, {
         description: string;
-        expectedHash: string;
         isWorkflow: boolean;
     }>;
     recommendedSkills: Record<string, {
         description: string;
-        expectedHash: string;
     }>;
     plugins: Record<string, {
         description: string;
         /** Agents this plugin can install into. Length 1 or 2. */
         agents: ("claude" | "codex")[];
-        expectedVersion?: string;
-        /** When true, this plugin is published in an UPSTREAM marketplace
-         *  (skill-creator / claude-md-management / codex), not in this repo.
-         *  Classifier MUST NOT report `update-available` for external plugins —
-         *  those upgrade through `claude plugins update`, not us. The UI surfaces
-         *  an EXTERNAL badge so users know to defer to the upstream tool. */
+        /** True for plugins whose source lives in an upstream marketplace
+         *  (skill-creator / claude-md-management / codex). Drives the UI's
+         *  EXTERNAL badge — upgrades go through `claude plugins update`, not us.
+         *  Pure UI hint since v1.19.0 (used to also gate update-available
+         *  reporting; that surface was removed). */
         external?: boolean;
     }>;
     hooks: Record<string, {
         description: string;
-        /** Coarse drift signal. The current production scan-catalog still
-         *  populates this with sha256(index.mjs) for back-compat with the v0.x
-         *  scanner that hashed the user's installed script. The new
-         *  settings.json-based scanner ignores it for drift comparison unless
-         *  the catalog also exposes the structured expected* fields below. */
-        expectedHash: string;
-        /** Settings.json event name (e.g. "PostToolUse", "Notification"). When
-         *  set, the scanner flags drift if the on-disk settings entry registers
-         *  under a different event. Optional; left undefined the scanner trusts
-         *  whatever event the marker was found under. */
-        expectedEvent?: string;
-        /** Settings.json `matcher` field (e.g. "Write|Edit" for PostToolUse).
-         *  Empty string means "no matcher" (e.g. Notification hooks). When set,
-         *  the scanner flags drift if the on-disk value differs. */
-        expectedMatcher?: string;
-        /** Settings.json `if` field (Claude-Code-specific filter expression).
-         *  Same drift semantics as expectedMatcher. */
-        expectedIf?: string;
     }>;
 }
 export interface ScanOptions {
     /** Run `claude plugins list` for the given scope. The scope argument is
      *  required so server.ts can pass --user / --project through to the CLI
      *  per opts.scopes.plugins. Implementations may accept a zero-arg legacy
-     *  form for back-compat but MUST honor a scope argument when given. */
+     *  form for back-compat but MUST honor a scope argument when given.
+     *
+     *  Returns just the installed records — v1.19.0 dropped the parallel
+     *  `--available` fetch since the scanner no longer compares versions. */
     execPluginList?: (scope: ScanScope) => Promise<{
         installed: any[];
-        available: any[];
     }>;
     readCodexConfig?: () => Promise<string | null>;
     readCodexPluginsDir?: () => Promise<Map<string, string>>;
@@ -71,32 +51,16 @@ export interface ScanOptions {
     homeDir?: string;
 }
 export declare function scanState(projectRoot: string, catalog: Catalog, opts?: ScanOptions): Promise<StateReport>;
-/**
- * Dedupe plugins by `id`, merging dual-Agent records into a single
- * multi-agent row. Aggregation rules:
- *
- *   agents:  union of all agent arrays for this id (claude before codex).
- *   status:  installed     ⇔ every agent's record is installed
- *            not-installed ⇔ every agent's record is not-installed
- *            otherwise     → update-available (partial install or any agent
- *                            with a pending update). One Apply covers all
- *                            gaps because the handler iterates `agents`.
- *
- * Non-status fields (description, currentVersion, expectedVersion,
- * versionSource) come from the first record we see. Today both sides report
- * the same description (catalog-driven) and the same versions for any
- * registry-pinned plugin, so this is safe; if a future divergence appears
- * we'll need a deliberate merge policy.
- */
 export declare function mergePluginsById(records: PluginState[]): PluginState[];
 /** Default: run `claude plugins list --json` (no scope flag — the CLI
- *  doesn't expose one) plus the `--available` variant, then filter the
- *  installed records to the requested scope (and current projectRoot for
- *  project-scope) client-side. Server.ts decides whether to pass this
- *  function based on `which claude`. */
+ *  doesn't expose one), then filter the installed records to the requested
+ *  scope (and current projectRoot for project-scope) client-side. Server.ts
+ *  decides whether to pass this function based on `which claude`.
+ *
+ *  v1.19.0 dropped the parallel `--available` fetch — the scanner no longer
+ *  compares versions, so there's no use for the upstream-live ref. */
 export declare function defaultExecPluginList(scope?: ScanScope, projectRoot?: string): Promise<{
     installed: any[];
-    available: any[];
 }>;
 export declare function defaultReadCodexConfig(): Promise<string | null>;
 /** Walk `~/.codex/plugins/cache/<marketplace>/<plugin>/<version>/`, returning